All the latest UK technology news, reviews and analysis
|
|
|
13 Nov 2009
Researchers at Foreground security have discovered a way to attack browsers that handle Adobe's Flash objects.
Mike Bailey, senior researcher at the firm, revealed that the vulnerability could be used to attack any of the 99 per cent of internet users who use Flash, or any site that allows user-created content to be posted online and served back from the same domain.
"Flash objects are not web pages. A Flash object does not need to be injected into a web page to execute – simply loading the content is enough," wrote Bailey in a blog posting.
"Let's consider the implications of this policy for a moment. If I can get a Flash object on to your server, I can execute scripts in the context of your domain."
He continued, reminding readers of how many web sites allow users to upload files of some kind, and how many of those sites serve them back to users. " Nearly every one of them is vulnerable," he added, citing Google's Gmail service among others.
According to Bailey, any one of a number of file types could be used to inject malicious code into a web domain, including GIF format images and SWF files.
"Gmail serves attachments from mail.google.com, the same domain that is used to access other webmail functionality. You may already see where I'm going with this," he continued, adding that the technique could be used to send a payload to a user account, analyse sent messages and execute itself from the inbox.
Remedies seem to be rather extreme, and not without their compromises. "For users trying to protect themselves, disabling Flash completely is the only way to be sure. But that breaks a lot of valuable stuff on the internet," Hill said. "So you will probably end up mitigating rather than solving the issue."
Web site operators should switch to serving content from separate domains, something that Hill said was done by firms including Yahoo, Hotmail and Wikipedia.
Hill does not see a fix from Adobe coming "any time soon", while the firm itself has not yet responded to calls for comment.
Latest stories from Security
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
Orange and Intel talk us through the ins and outs of their San Diego smartphone
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
Are you looking for a new positing within the Testing...
A leading global provider of critical information to...
Want to work for one of the most dynamic, creative environments...
Want to work for one of the most dynamic, creative environments...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Use a flash blocker
Use a Firefox plugin like Flashblock or NoScript. With these you must explicity click on each bit of Flash to authorise it to start. This can neatly avoid unexpected bits of Flash from being run automatically.
Posted by: Gary Stimson 13 Nov 2009